{
	"id": "534ed8ab-e7d2-4411-998c-95e8cc5178d4",
	"created_at": "2026-04-06T00:09:35.706182Z",
	"updated_at": "2026-04-10T03:24:30.224854Z",
	"deleted_at": null,
	"sha1_hash": "0a4d6068b4eb06674b47ae1666ec40bf2bea99b9",
	"title": "Inside Cridex - Memory Analysis Case Study - Memory Forensic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50031,
	"plain_text": "Inside Cridex - Memory Analysis Case Study - Memory Forensic\r\nBy Husam Shbib\r\nPublished: 2024-10-02 · Archived: 2026-04-02 10:58:31 UTC\r\nIntroduction\r\nCridex, also known as Dridex, is a banking worm (evolved over the year to be full-featured banking malware) that\r\nemploys advanced techniques to evade detection and facilitate the theft of financial information. Memory\r\nforensics is crucial in analyzing Cridex due to its ability to operate in memory and evade traditional file-based\r\ndetection methods.\r\nKeep in mind that this study case is not a full walk-through investigation, instead, it gives you just an idea on\r\nanalyzing memory dumps. It will be beneficial, especially for beginners to get started.\r\nAs MemoryForensic is a collaborative blue team platform, we are sharing valuable community-contributed\r\nresources like this one – Cridex case study.\r\nNote: Fileless malware or memory-resident malware don’t necessarily mean that all stages of the cyber kill chain\r\noccur entirely in memory. While certain steps, such as execution and command-and-control communication, may\r\nhappen in memory, other stages like initial infection, persistence mechanisms, or lateral movement might involve\r\nwriting to disk, using registry keys, or dropping small files as triggers.\r\nCredit\r\nThis work is done by Diyar Saadi, and this article is based on his work and analysis.\r\nDownloading the Cridex Memory Dump / Running on the Cloud Lab\r\nAttention: the sample you are about to download may include malicious files and malware samples. To\r\nprotect your system, please analyze it on a completely isolated virtual machine if it is not running on\r\ncloud\r\nYou can download the memory dump directly from here.\r\nUsed Tools\r\nVolatility2\r\nVolatility WorkBench2\r\nVirusTotal\r\nCridex Analysis Steps\r\nhttps://memoryforensic.com/inside-cridex-memory-analysis-case-study/\r\nPage 1 of 2\n\nUsing Volatility:\r\nLoad the memory dump into a forensics tool like Volatility.\r\nUse plugins to extract information about running processes, network sockets, and loaded DLLs.\r\nIdentifying Malicious Processes:\r\nLook for processes that exhibit suspicious behavior, such as unusual names or those running from\r\nunexpected locations.\r\nCheck for injected code or modified processes that may indicate Cridex activity.\r\nChecking Network Connections:\r\nAnalyze active network connections to identify communications with known Cridex command and\r\ncontrol servers.\r\nUse the netscan or connscan plugins to identify any abnormal network activity.\r\nRecovering Artifacts:\r\nExtract artifacts like clipboard content, which might contain stolen information, or passwords saved\r\nin memory.\r\nUse the cmdscan or consoles plugins to examine command history that might reveal user\r\ninteractions with the malware.\r\nDetecting Persistence Mechanisms:\r\nAnalyze the registry keys and services that might indicate how Cridex maintains persistence on the\r\ninfected system.\r\nLook for unusual entries that may have been created by the malware.\r\nThe Case Study Document\r\nConclusion\r\nWe briefly analyzed Cridex malware residing in a memory dump, provided some tips and tricks, that will give you\r\na start in analyzing memory dumps.\r\nWe hope that you download the memory dump in safe environment, try analyzing it before the case study file to\r\nbetter enhance your memory analysis skills.\r\n~ Cya till the next one 🙂\r\nSource: https://memoryforensic.com/inside-cridex-memory-analysis-case-study/\r\nhttps://memoryforensic.com/inside-cridex-memory-analysis-case-study/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://memoryforensic.com/inside-cridex-memory-analysis-case-study/"
	],
	"report_names": [
		"inside-cridex-memory-analysis-case-study"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434175,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a4d6068b4eb06674b47ae1666ec40bf2bea99b9.pdf",
		"text": "https://archive.orkl.eu/0a4d6068b4eb06674b47ae1666ec40bf2bea99b9.txt",
		"img": "https://archive.orkl.eu/0a4d6068b4eb06674b47ae1666ec40bf2bea99b9.jpg"
	}
}